Install and integrate Rspamd

This is the third part of our Setting up and configuring a mail server and in this part we will go through the installation and configuration of the Rspamd spam filtering system and its integration into our mail server and creating DKIM and DMARC DNS records. You may ask why we choose to go with Rspamd and not with Spamassassin. Rspamd is written in C and it is much faster then Spamassassin which is written in Perl and also Rspamd is more actively maintained. Another reason is that Rspamd comes with a DKIM signing module so we will not have to use another software to sign our outgoing emails.

If you are not familiar with Rspamd you can check their official documentation here

Install Redis

Redis will be used as a storage and caching system by Rspamd, to install it just run:

sudo apt install redis-server

Install Unbound

Unbound is a very secure validating, recursive, and caching DNS resolver.

The main purpose of installing this service is to reduce the number of external DNS requests. This step is optional and can be skipped.

Configure Rspamd

Instead of modifying the stock config files we will create new files in the /etc/rspamd/local.d/local.d/ directory which will overwrite the default setting.

By default Rspamd’s normal worker the worker that scans email messages listens on all interfaces on port 11333. Create the following file to configure the Rspamd normal worker to listen only to localhost interface:

/etc/rspamd/local.d/worker-normal.inc

bind_socket = "127.0.0.1:11333";

The proxy worker listens on port 11332 and supports milter protocol. In order for Postfix to communicate with Rspamd we need to enable milter mode:

Create DKIM keys

DomainKeys Identified Mail (DKIM) is an email authentication method which adds a cryptographic signature to the outbound message headers. It allows the receiver to verify that an email claiming to originate from a specific domain was indeed authorized by the owner of that domain. The main purpose of this is to prevent forged email messages.

We can have different DKIM keys for all our domains and even a multiple keys for a single domain but for simplicity of this article we’re gonna use a single DKIM key which later can be used for all new domains.

Create a new directory to store the DKIM key and generate a new DKIM keypair using the rspamadm utility:

You should now have a two new files in the /var/lib/rspamd/dkim/ directory, mail.key which is our private key file and mail.pub a file which contains the DKIM public key. We will update our DNS zone records later.

Now we need to tell Rspamd where to look for the DKIM key, the selector name and the last line will enable DKIM signing for alias sender addresses. To do that create a new file with the following contents:

Rspamd also supports signing for Authenticated Received Chain (ARC) signatures. You can find more information about the ARC specification here. Rspamd is using the dkim module for dealing with ARC signatures so we can simply copy the previous configuration:

cp /etc/rspamd/local.d/dkim_signing.conf /etc/rspamd/local.d/arc.conf

Restart the Rspamd service for changes to take effect.

sudo systemctl restart rspamd

DNS settings

We already created a DKIM key pair and now we need to update our DNS zone. DKIM public key is stored in the mail.pub file. The content of the file should look like this:

If you are running your own Bind DNS server you just need to copy and paste the record directly into your domain zone file. If you are using a DNS web interface, then you need to create a new TXT record with mail._domainkey as a name and for the value/content you will need to remove the quotes an concatenate all three lines together. In our case the value/content of the TXT record should look like this:

We will also create a Domain-based Message Authentication (DMARC) which is designed to tell the receiving server whether or not to accept an email from a particular sender. Basically it will protect your domain against direct domain spoofing and improve your domain reputation.

If you followed the series from the beginning you should already have a SFP record for your domain. To setup a DMARC record, the sending domain needs to have an SPF and DKIM record published. DMARC policy is published as a TXT record, and defines how the receiver should treat the mails from your domain when validations fail.

In this article we will implement the following DMARC policy:

_dmarc IN TXT "v=DMARC1; p=none; adkim=r; aspf=r;"

Let’s break down the above DMARC record:

v=DMARC1 - This is the DMARC identifier

p=none - This tells the receiver what to do with messages that fail DMARC. In our case it is set to none which means take no action if a message fails DMARC. You can also use ‘reject’ or quarantine

adkim=r and aspf=r - DKIM and SPF alignment, r for Relaxed and s for Strict, in our case we are using Relaxed Alignment for both DKIM and SPF.

Same as before if you are running your own Bind DNS server you just need to copy and paste the record into your domain zone file, and if you are using another DNS provider you need to create a TXT record with _dmarc as a name and v=DMARC1; p=none; adkim=r; aspf=r; as a value/content.

It may take a while for the DNS changes to propagate. You can check whether the records have propagated using the dig command: